The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

The office printer is having problems so I've had to email the UPS label,sorry for the inconvenience.

Cheers

Laurence lumb

Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

This dropped binary has a detection rate of 6/54. It phones home to the following locations:185.129.148.19/php/upload.php (MWTV, Latvia)51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)194.67.210.183/php/upload.php (Marosnet, Russia)

Monday, 26 August 2013

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..

The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:[donotclick]gordonpoint.org/forum/viewtopic.php[donotclick]mierukaproject.jp/PjSE.exe[donotclick]programcommunications.com/WZP3mMPV.exe[donotclick]fclww.com/QdytJso0.exe[donotclick]www.lajen.cz/tPT8oZTB.exe

The VirusTotal detection rate for the downloaded file is not great at just 9/46.

The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.

� 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The link in the email goes to a legitimate hacked site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips.net/news/ups-information.php (report here) hosted on:

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The link in the email goes through a legitimate hacked site but then ends up on a malicious payload at [donotclick]rmacstolp.net/news/fishs_grands.php (report here and here). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis.

If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta.ru/ftyxsem.php
[donotclick]kontra-antiabzocker.net/cpdedlp.php
[donotclick]www.cyprusivf.net/iabsvkc.php
[donotclick]clubempire.ru/ayrwoxt.php
[donotclick]artstroydom.com/rwlqqtq.php
[donotclick]www.masthotels.gr/ysmaols.php

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

You may pickup the parcel at our post office.

Please attention!For mode details and shipping label please see the attached file.Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,UPS Logistics Services.

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46. ThreatExpert reports that the malware is a Pony downloader which tries to phone home to:aseforum.ro (199.19.212.149 / Vexxhost, Canada)23.localizetoday.com (192.81.131.18 / Linode, US)

Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18199.19.212.149aseforum.rohtlounge.comhtlounge.nettopcancernews.com23.localizetoday.com23.localizedonline.com23.localizedonline.net

Your USPS TEAM for big savings! Can't see images? CLICK HERE. UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.Learn More >> UPS - Your UPS Team Good day, [redacted].

Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori.ru:8080/forum/links/column.php (report here), in this case via a legitimate hacked site at [donotlick]www.unisgolf.ch/report.htm but that is less important.

You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account

Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.

________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

Tuesday, 18 December 2012

Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS / USPS / FilesTube spam leads to malware on apensiona.ru:

Enjoy all UPS has to offer by linking your My UPS profile to your account.

Link Your
Account Now >>

UPS - UPS .com Customer Services

Good Evening, [redacted].

DEAR USER , Recipient's address is wrong

Track your Shipment now!

With Respect To You , Your UPS .com Customer Services.

Shipping
Tracking
Calculate Time & Cost
Open an Account

@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.

This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address:

Friday, 5 October 2012

This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center

Please visit the UPS Billing Center to view and pay your invoice.

Discover more about UPS:

Visit ups.com

Explore UPS Freight Services

Learn About UPS Companies

Sign Up For Additional Email From UPS

Read Compass Online

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

For more information on UPS's privacy practices, refer to the UPS Privacy Policy.

Please do not reply directly to this e-mail. UPS will not receive any reply message.

For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy

Contact UPS

The malicious payload is at [donotclick]minus.preciseenginewarehouse.com/links/assure_numb_engineers.php hosted on 174.140.165.112 (DirectSpace Networks, US) which also houses the following suspect domains:

The following IPs and domains are all connected and should be blocked:
84.22.100.108
190.10.14.196
203.80.16.81
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
soisokdomen.ru
moskowpulkavo.ru
diareuomop.ru
omahabeachs.ru
sectantes-x.ru

Please print out the invoice copy attached and collect the package at our department.

Best Regards , UPS .com Customer Services.

Copyright 2011 United Parcel Service of America, Inc. USPS Services, the Your usps Customer Services brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

Please do not reply directly to this e-mail. Your USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.

We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

The malware can be found at [donotclick]denegnashete.ru:8080/forum/links/column.php which is the same as found on this attack..

This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for viewing in UPS billing center. Please note that your UPS invoices should be paid within 14 days to avoid any additional charges.

Please visit the UPS Billing Center to view and pay your invoice.

Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official journal

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The malicious payload is at [donotclick]peace-computer.com/main.php?page=22b33afad06e9ba5
on 62.109.26.35 (ISPsystem, Russia). The following domains and IPs are all connected to this attack:

This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for download in UPS billing center. Do not forget that your UPS invoices should be paid within 28 days so as not to incur any additional charges.

Please surf to the UPS Billing Center to view and pay your invoice.

Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official blog

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for viewing in UPS billing center. Do not forget that your UPS invoices should be paid within 28 days to avoid any additional charges.

Please visit the UPS Billing Center to view and pay your invoice.

Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official blog

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

________________________________________
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The malicious payload is at [donotclick]proamd-inc.com/main.php?page=8cb1f95c85bce71b (report here) hosted on 164.15.250.148 (Universite Libre de Bruxelles, Belgium).

The following domains and IPs are also involved in this attack and should be blocked:
afriget.net
fonografs.net
proamd-inc.com
thaidescribed.com
80.77.87.185
164.15.250.148
200.184.213.131

Discover more about UPS:
Visit www.ups.com
Sign Up For Additional E-Mail From UPS
Read Compass Online

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

Click here to track if UPS has received your shipment or visit
http://www.ups.com/WebTracking/track?loc=en_US on the Internet.

____2@@2@@2wowT7qQAXmBSs4ogrWusagY4wa____

� 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential.� If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

The malicious payload is at [donotclick]abilenepaint.net/main.php?page=c3c45bf60719e629 (report here) hosted on 109.169.86.139 (Rapidswitch / iomart Hosting Ltd / ThrustVPS, UK) which is the same host used in this attack.

Monday, 18 June 2012

The payload page is at [donotclick]leadgems.net/main.php?page=940489e6fc8f17ed (report here) which is hosted on 192.84.186.206 (Seinajoki University of Applied Sciences, Finland).. presumably a hacked server.

Blocking access to 192.84.186.206 will prevent any other malicious sites on the same server from causing a problem.

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

The malicious payload is at [donotclick]autobouracky.net/main.php?page=0e1cb9b71ef021b2 (report here) which is hosted on 173.208.252.207 (Datashack, US).